7 avr 2010 · FortiGate®, FortiGate Unified Threat Management System, To include a signing chain, before importing the local certificate to the FortiWeb unit, first If the client presents an invalid certificate, the FortiWeb unit will not
Previous PDF | Next PDF |
[PDF] Steps to follow to avoid certificate error when accessing Fortigate
Download the certificate Import the SSL certificate into FortiOS To import the certificate to FortiOS- web-based manager 1 Go to System > Certificates
[PDF] Purchase and Import a signed SSL Certificate - Fortinet Knowledge
Copyright© 2015 Fortinet, Inc All rights reserved Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of
[PDF] FortiOS Certificate Management - Fortinet Knowledge Base
From System > Certificates > Local Certificates, click the “Generate” button to get the following basicConstraints = CA:FALSE keyUsage fgssl crt Once completed, you can now import the self-signed SSL certificate into FortiOS using the
[PDF] Description >> This article describes about how to Sign a CA
import the certificate for SSL inspection Purpose of configuring SSL inspection on FortiGate unit with CA certificate signed by inspection for HTTPS traffic ( Deepscan) is enabled on FortiGate unit, browser will display invalid certificate
[PDF] FortiNAC SSL Certificate Installation - AWS
UI Method: Obtaining a Valid SSL Certificate from CA Import and Activate Certificates certificate request would then be invalid as the private key stored in the temporary Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc , in the U S and other
[PDF] FortiWeb 604 Administration Guide - Amazon AWS
24 avr 2019 · Receive quarantined source IP addresses from FortiGate 169 SSL offloading cipher suites and protocols (Reverse Proxy and True Transparent Proxy) Example: Importing the personal certificate private key to a client's trust store on Microsoft False Positive Mitigation for SQL Injection signatures
[PDF] FortiOS 6010 Release Notes
5 août 2020 · Built-in certificate 9 FortiClient (Mac OS X) SSL VPN requirements mode cannot open DFS share subdirectories, gives invalid HTTP request message Global imported local certificates can no longer be used in VDOMs
[PDF] FortiWeb Administration Guide Version 402 - ISP Tools
7 avr 2010 · FortiGate®, FortiGate Unified Threat Management System, To include a signing chain, before importing the local certificate to the FortiWeb unit, first If the client presents an invalid certificate, the FortiWeb unit will not
[PDF] FortiOS Handbook: User Authentication
16 déc 2011 · Import the SSL certificate into FortiOS If you have attempted to add invalid FortiToken serial numbers, there will be no error message
[PDF] FortiAnalyzer Administration Guide - Vunkers
Local user account (username/password stored on the FortiGate unit) PKI user account with digital client authentication certificate stored on the FortiGate unit If the imported file is the wrong format or has an error, the system will report an
[PDF] fortigate utm license price
[PDF] fortigate vm 01 datasheet
[PDF] fortigate vm aws datasheet
[PDF] fortigate vm datasheet aws
[PDF] fortigate vm datasheet kvm
[PDF] fortigate vm firewall datasheet
[PDF] fortigate vm license price
[PDF] fortigate vm performance
[PDF] fortigate vm08 datasheet
[PDF] fortigate vm64
[PDF] fortigate _i_ student guide online
[PDF] fortigate/fortiwifi 30e
[PDF] fortiguard
[PDF] fortiguard datasheet
FortiWeb™ Web
Application Security
Version 4.0.2
Administration Guide
FortiWeb™ Web Application Security Administration GuideVersion 4.0.2
Revision 2
7 April 2010
© Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.Regulatory compliance
FCC Class A Part 15 CSA/CUS
CAUTION: Risk of explosion if battery is replaced by incorrect type. Dispose of used batteries according to instructions.Contents
FortiWeb™ Web Application Security Version 4.0.2 Administration GuideRevision 23
http://docs.fortinet.com/ • FeedbackContents
Introduction.............................................................................................. 9
Registering your Fortinet product................................................................................. 9
Customer service & technical support ......................................................................... 9
Training.......................................................................................................................... 10
Documentation.............................................................................................................. 10
Scope ............................................................................................................................. 10
Conventions .................................................................................................................. 11
IP addresses............................................................................................................. 11
Cautions, Notes, & Tips............................................................................................ 11
Typographical conventions....................................................................................... 11
Command syntax conventions.................................................................................. 12
Characteristics of XML threats .................................................................................... 14
Characteristics of HTTP threats .................................................................................. 15
What's new ............................................................................................. 19
About the web-based manager............................................................. 21System requirements.................................................................................................... 21
URL for access.............................................................................................................. 21
Settings.......................................................................................................................... 22
Language support & regular expressions.................................................................. 22
System .................................................................................................... 25
Viewing the system statuses ....................................................................................... 25
System Information widget ....................................................................................... 27
Changing the FortiWeb unit's host name........................................................... 29
System Resources widget........................................................................................ 29
CLI Console widget................................................................................................... 30
Alert Message Console widget................................................................................. 31
Service Status widget............................................................................................... 32
Policy Summary widget ............................................................................................ 33
Configuring the network interfaces............................................................................. 34
About VLANs...................................................................................................... 39
Configuring bridges................................................................................................... 39
Configuring fail-open................................................................................................. 41
Configuring the DNS settings...................................................................................... 42
Configuring high availability (HA) ............................................................................... 42
About the heartbeat and synchronization................................................................. 46
Configuring the SNMP agent ....................................................................................... 47
Configuring an SNMP community............................................................................. 48
Contents
FortiWeb™ Web Application Security Version 4.0.2 Administration Guide4Revision 2
http://docs.fortinet.com/ • FeedbackConfiguring DoS protection......................................................................................... 50
Configuring the operation mode ................................................................................. 51
Configuring administrator accounts........................................................................... 53
About trusted hosts................................................................................................... 56
Configuring access profiles....................................................................................... 56
About permissions.................................................................................................... 58
Configuring the web-based manager's global settings ............................................ 60Managing certificates ................................................................................................... 61
Managing local and server certificates ..................................................................... 62
Generating a certificate signing request............................................................. 63
Downloading a certificate signing request.......................................................... 66
Uploading a certificate........................................................................................ 66
Managing OCSP server certificates.......................................................................... 68
Managing CA certificates.......................................................................................... 68
Grouping CA certificates .................................................................................... 69
Managing certificates for intermediate CAs ....................................................... 70
Grouping certificates for intermediate CAs ........................................................ 71
Managing the certificate revocation list..................................................................... 72
Configuring certificate verification rules.................................................................... 73
Backing up the configuration & installing firmware.................................................. 74
Configuring the time & date......................................................................................... 75
Uploading signature updates....................................................................................... 77
Scheduling signature updates..................................................................................... 78
Router...................................................................................................... 81
Configuring static routes ............................................................................................. 81
User......................................................................................................... 83
Configuring local users................................................................................................ 83
Configuring LDAP user queries................................................................................... 84
Configuring NTLM user queries .................................................................................. 87
Grouping users ............................................................................................................. 88
Server Policy .......................................................................................... 91
Configuring policies ..................................................................................................... 91
Enabling or disabling a policy................................................................................. 101
Configuring virtual servers ........................................................................................ 101
Enabling or disabling a virtual server...................................................................... 103
Configuring physical servers..................................................................................... 103
Enabling or disabling a physical server .................................................................. 105
Grouping physical servers into server farms .......................................................... 106
Configuring server health checks ........................................................................... 109
Contents
FortiWeb™ Web Application Security Version 4.0.2 Administration GuideRevision 25
http://docs.fortinet.com/ • FeedbackConfiguring custom services..................................................................................... 111
Viewing the list of predefined services.................................................................... 113
Configuring protected hosts...................................................................................... 113
Grouping the predefined data types ......................................................................... 116
Viewing the list of predefined data types................................................................ 118
Grouping the predefined suspicious URLs.............................................................. 120
Viewing the list of predefined URL rules................................................................. 121
XML Protection..................................................................................... 123
Configuring schedules ............................................................................................... 123
Configuring one-time schedules............................................................................. 123
Configuring recurring schedules............................................................................. 124
Configuring content filter rules ................................................................................. 126
How priority affects content filter rule matching...................................................... 129
Enabling or disabling a content filter rule................................................................ 129
Configuring intrusion prevention rules .................................................................... 130
Enabling or disabling an intrusion prevention rule.................................................. 132
Configuring WSDL content routing groups.............................................................. 133
Managing XML signature and encryption keys........................................................ 135
Uploading a key...................................................................................................... 135
Grouping keys into key management groups......................................................... 136
Managing Schema files .............................................................................................. 138
Enabling or disabling a Schema file........................................................................ 140
Managing WSDL files.................................................................................................. 141
Enabling and disabling operations in a WSDL file.................................................. 142
Grouping WSDL files.............................................................................................. 143
Configuring XML protection profiles......................................................................... 144
Web Protection..................................................................................... 151
Order of execution ...................................................................................................... 151
Configuring input rules .............................................................................................. 152
Grouping input rules into parameter validation rules.............................................. 156
Configuring page order rules..................................................................................... 158
Configuring server protection rules.......................................................................... 161
Configuring server protection exceptions ............................................................... 167
Configuring start pages.............................................................................................. 170
Configuring URL black list rules ............................................................................... 173
Configuring URL white list rules ............................................................................... 175
Blacklisting client IP addresses ................................................................................ 177
Enabling or disabling IP address blacklisting.......................................................... 178
Viewing the top 10 IP black list candidates............................................................. 179
Contents
FortiWeb™ Web Application Security Version 4.0.2 Administration Guide6Revision 2
http://docs.fortinet.com/ • FeedbackWhitelisting client IP addresses ................................................................................ 180
Configuring brute force login attack senso
rs .......................................................... 181Configuring robot control sensors............................................................................ 184
Viewing the predefined list of well-known robots.................................................... 187
Grouping predefined robots.................................................................................... 188
Grouping custom robots ......................................................................................... 189
Configuring allowed method exceptions.................................................................. 191
Configuring hidden field rules................................................................................... 194
Grouping hidden field rules..................................................................................... 197
Configuring URL rewriting ......................................................................................... 199
Grouping URL rewriting rules ................................................................................. 202
Example: Rewriting URLs using regular expressions............................................. 204Example: Rewriting URLs using variables.............................................................. 204
Configuring HTTP protocol constraints.................................................................... 205
Configuring HTTP authentication.............................................................................. 207
Configuring authentication rules............................................................................. 208
Grouping authentication rules into authentication policies...................................... 211
Configuring inline web protection profiles............................................................... 213
Configuring offline protection profiles ..................................................................... 219
Configuring auto-learning profiles............................................................................ 223
Auto Learn............................................................................................ 227
Generating an auto-learning profile and its components ....................................... 227Viewing auto-learning reports ................................................................................... 228
About the attack count............................................................................................ 232
Generating a profile from auto-learning data........................................................... 232
Web Anti-Defacement.......................................................................... 237Configuring anti-defacement ..................................................................................... 237
About web site backups.......................................................................................... 241
Reverting a web site to a backup revision................................................................ 241
Web Vulnerability Scan ....................................................................... 243Preparing for the vulnerability scan job ................................................................... 243
Configuring vulnerability scans ................................................................................ 243
Viewing a vulnerability report.................................................................................... 248
Log&Report .......................................................................................... 251
About logging.............................................................................................................. 251
Log types................................................................................................................ 251
Log message severity levels................................................................................... 252
Contents
FortiWeb™ Web Application Security Version 4.0.2 Administration GuideRevision 27
http://docs.fortinet.com/ • FeedbackConfiguring logging and alerts.................................................................................. 252
Enabling logging and alerts .................................................................................... 253
Obscuring sensitive data in the logs....................................................................... 255
Configuring logging to the local hard disk............................................................... 256
Configuring logging to memory............................................................................... 258
Configuring logging to a Syslog server or FortiAnalyzer unit.................................. 259Configuring and testing alerts................................................................................. 260
Viewing log messages................................................................................................ 262
Customizing the log view........................................................................................ 264
Displaying and arranging log columns ............................................................. 265
Filtering log messages ..................................................................................... 266
Grouping similar attack log messages ............................................................. 267
Configuring and generating reports.......................................................................... 268
Configuring a report profile..................................................................................... 269
Configuring the headers, footers, and logo of a report profile.......................... 270 Configuring the time period and log filter of a report profile ............................. 271 Configuring the query selection of a report profile ........................................... 273 Configuring the advanced options of a report profile ....................................... 274Configuring the schedule of a report profile ..................................................... 274
Configuring the output of a report profile.......................................................... 275
Viewing and downloading reports............................................................................. 277
Installing firmware ............................................................................... 279
Testing new firmware before installing it ................................................................. 279
Installing firmware ...................................................................................................... 281
Installing backup firmware......................................................................................... 283
Restoring firmware ..................................................................................................... 285
Appendix A: Supported RFCs............................................................. 289 Appendix B: Maximum values matrix ................................................ 291 Appendix C: SNMP MIB support......................................................... 293Index...................................................................................................... 295
Contents
FortiWeb™ Web Application Security Version 4.0.2 Administration Guide8Revision 2
http://docs.fortinet.com/ • FeedbackIntroduction Registering your Fortinet product
FortiWeb™ Web Application Security Version 4.0.2 Administration GuideRevision 29
http://docs.fortinet.com/ • FeedbackIntroduction
Welcome and thank you for selecting Fortinet products for your network protection. FortiWeb units are designed specifically to protect web servers. Traditional firewalls and unified threat management (UTM) devices often understand the HTTP protocol, but do not understand simple object access protocol (SOAP) and other XML protocols and document types encapsulated within HTTP (RFC 2616). Because they lack in-depth inspection and analysis, traditional firewalls often cannot route connections based upon XML content. Worse still, attackers can bypass traditional firewall protection and cause problems for web servers that host HTML or XML-based services. High performance is also important because XML and SOAP parsing requires relatively high amounts of CPU and memory resources. Traditional firewalls may be devoted to other business critical security functions, unable to meet performance requirements while also performing thorough scanning of XML and other HTTP document requests. FortiWeb units are designed specifically to meet these needs. In addition to providing application content-based routing and in-depth protection for many HTTP/HTTPS- and XML-specific attacks, FortiWeb units contain specialized hardware to accelerate SSL processing, and can thereby enhance both the security and the performance of connections to your web servers. This section introduces you to FortiWeb units and the following topics: •Registering your Fortinet product •Customer service & technical support •Training •Documentation •Scope •Conventions •Characteristics of XML threats •Characteristics of HTTP threatsRegistering your Fortinet product
Before you begin, take a moment to register your Fortinet product at the Fortinet TechnicalSupport web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration. For more information, see the Fortinet Knowledge Base article Registration FrequentlyAsked Questions.
Customer service & technical support
Fortinet Technical Support provides services designed to make sure that you can install your Fortinet products quickly, configure them easily, and operate them reliably in your network.TrainingIntroduction
FortiWeb™ Web Application Security Version 4.0.2 Administration Guide10Revision 2
http://docs.fortinet.com/ • Feedback To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article Technical SupportRequirements.
Training
Fortinet Training Services provides classes that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email them at training@fortinet.com.Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes. In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the FortinetKnowledge Base.
Fortinet Tools and Documentation CD
Many Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet TechnicalDocumentation web site, http://docs.fortinet.com.
Fortinet Knowledge Base
The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.Comments on Fortinet technical documentation
Please send information about any errors or omissions in this technical document to techdoc@fortinet.com. Scope This document describes how to use the web-based manager of the FortiWeb unit. It assumes you have already successfully installed the FortiWeb unit by following the instructions in the FortiWeb Installation Guide.At this stage:
• You have administrative access to the web-based manager and/or CLI. • The FortiWeb unit is integrated into your network.Introduction Conventions
FortiWeb™ Web Application Security Version 4.0.2 Administration GuideRevision 211
http://docs.fortinet.com/ • Feedback • The operation mode has been configured. • The system time, DNS settings, administrator password, and network interfaces have been configured. • Firmware updates have been completed. • Basic policies have been configured. Once that basic installation is complete, you can use this document. This document explains how to use the web-based manager to: • maintain the FortiWeb unit, including backups • reconfigure basic items that were configured during installation • configure advanced features, such as customized protection profiles, logging, and reporting This document does not cover commands for the command line interface (CLI). For information on the CLI, see the FortiWeb CLI Reference.Conventions
Fortinet technical documentation uses the conventions described below.IP addresses
To avoid publication of public IP addresses
that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.Cautions, Notes, & Tips
Fortinet technical documentation uses the following guidance and styles for cautions, notes and tips.Typographical conventions
Fortinet documentation uses the following typographical conventions: Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment. Note: Presents useful information, usually focused on an alternative, optional method, such as a shortcut, to perform a step. Tip: Highlights useful additional information, often tailored to your workplace activity.ConventionsIntroduction
FortiWeb™ Web Application Security Version 4.0.2 Administration Guide12Revision 2
http://docs.fortinet.com/ • FeedbackCommand syntax conventions
The command line interface (CLI) requires that you use valid syntax, and conform to expected input constraints. It will reject invalid commands. Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such asConvention Example
Button, menu, text box,
field, or check box labelFrom Minimum log level, select Notification.CLI inputconfig system dns
set primaryCLI outputFGT-602803030703 # get system settings
comments : (null) opmode : nat EmphasisHTTP connections are not secure and can be intercepted by a third party.File contentFirewall
Authentication
You must authenticate to use this service.
HyperlinkVisit the Fortinet Technical Support web site, https://support.fortinet.com. Keyboard entryType a name for the remote VPN peer or client, such as Central_Office_1.NavigationGo to VPN > IPSEC > Auto Key (IKE).
PublicationFor details, see the FortiGate Administration Guide.Table 2: Command syntax notation
ConventionDescription
Square brackets []A non-required word or series of words. For example: [verbose {1 | 2 | 3}]indicates that you may either omit or type both the verbose word and its accompanying option, such as:
verbose 3Introduction Conventions
FortiWeb™ Web Application Security Version 4.0.2 Administration GuideRevision 213
http://docs.fortinet.com/ • FeedbackAngle brackets <>A word constrained by data type.To define acceptable input, the angled brackets contain a descriptive name followed by an underscore (_) and suffix that indicates the valid data type. For example:
Data types include:
••
•
•
•
•
•
•
Curly braces {}A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.
You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].Table 2: Command syntax notation